stapter WP&笔记

吞脚 2025-11-7 21:34

很喜欢的靶机，有效暴露了自己的不足，里面的兔子洞基本上全部踩了一遍，所以写一下这篇wp兼笔记

感想：打靶很多时候是反直觉的，有的时候不能基于感觉，或者说觉得概率很小就不去尝试，它是一个严谨的，纯粹理性的过程

wp部分

nmap

[code]

┌──(kali㉿kali)-[~/PG/replayplay/stapter]
└─$ nmap -sT -p- 192.168.113.240 -oA nmapscan/ports
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-15 09:52 EDT
Nmap scan report for 192.168.113.240
Host is up (0.0038s latency).
Not shown: 65523 filtered tcp ports (no-response)
PORT      STATE  SERVICE
20/tcp    closed ftp-data
21/tcp    open   ftp
22/tcp    open   ssh
53/tcp    open   domain
80/tcp    open   http
123/tcp   closed ntp
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn
666/tcp   open   doom
3306/tcp  open   mysql
12380/tcp open   unknown
MAC Address: 08:00:27:D9:17:D1 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 119.02 seconds

[/code]

awk剪切端口

[code]

┌──(kali㉿kali)-[~/PG/replayplay/stapter]
└─$ port=$(cat nmapscan/ports.nmap | grep open | awk -F '/' '{print $1}'|paste -sd ',')

[/code]

tcp详细信息扫描

[code]

┌──(kali㉿kali)-[~/PG/replayplay/stapter]
└─$ nmap -sT -sC -sV -O -p21,22,53,80,139,666,3306,12380 192.168.113.240 -oA nmapscan/details
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-15 09:59 EDT
Nmap scan report for 192.168.113.240
Host is up (0.0024s latency).

PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 2.0.8 or later
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.113.200
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.
22/tcp    open  ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
|   256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_  256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519)
53/tcp    open  domain      dnsmasq 2.75
| dns-nsid: 
|_  bind.version: dnsmasq-2.75
80/tcp    open  http        PHP cli server 5.5 or later
|_http-title: 404 Not Found
139/tcp   open  netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp   open  tcpwrapped
3306/tcp  open  mysql       MySQL (blocked - too many connection errors)
12380/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Tim, we need to-do better next year for Initech
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 08:00:27:D9:17:D1 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (97%), Linux 3.13 - 4.4 (97%), Linux 3.16 - 4.6 (97%), Linux 3.8 - 3.16 (97%), Linux 4.4 (97%), Linux 3.2 - 4.14 (97%), Linux 3.13 (95%), Linux 3.18 (94%), Linux 4.2 (94%), Linux 3.13 - 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-time: 
|   date: 2025-10-15T13:44:19
|_  start_date: N/A
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
|   Computer name: red
|   NetBIOS computer name: RED\x00
|   Domain name: \x00
|   FQDN: red
|_  System time: 2025-10-15T14:44:20+01:00
|_nbstat: NetBIOS name: RED, NetBIOS user: , NetBIOS MAC:  (unknown)
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -36m03s, deviation: 34m34s, median: -16m06s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.55 seconds

[/code]

这里可以看到ftp可以匿名访问

53端口版本是 dnsmasq 2.75，searchsploit有漏洞，但是拒绝服务攻击不可利用

12380的title处,提到了tim这个人名，记录到用户名字典中

nmap脚本扫描

信息收集

ftp匿名访问

[code]

┌──(kali㉿kali)-[~/PG/replayplay]
└─$ ftp 192.168.113.240      
Connected to 192.168.113.240.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220 
Name (192.168.113.240:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

[/code]

成功访问，这里有个人名harry，记录到用户名字典中

[code]

200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             107 Jun 03  2016 note
226 Directory send OK.
ftp> get note
local: note remote: note
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note (107 bytes).
100% |**********************************************************|   107       15.70 KiB/s    00:00 ETA
226 Transfer complete.
107 bytes received in 00:00 (9.05 KiB/s)

[/code]

确认没有其他文件后退出

[code]

┌──(kali㉿kali)-[~/PG/replayplay]
└─$ cat note                 
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.

[/code]

Elly和john加入用户名字典，这里提到让elly更改ftp中信息，猜测ftp还可以用elly登录

但是信息收集到后期（包括用户名字典和其他hint），还是怎么都爆破不出来ftp

继续进行信息收集，

列出smb服务器上的共享资源：

[code]

┌──(kali㉿kali)-[~/PG/replayplay]
└─$ smbclient  -L //192.168.113.240  
Password for [WORKGROUP\kali]:

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	kathy           Disk      Fred, What are we doing here?
	tmp             Disk      All temporary files should be stored here
	IPC$            IPC       IPC Service (red server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	WORKGROUP            RED

[/code]

-L: “List” 的意思，表示列出目标主机上的可用共享资源（如共享文件夹、打印机等）。

这里的kathy和tmp是可访问的文件共享目录

访问指定的文件共享目录：

[code]

┌──(kali㉿kali)-[~/PG/replayplay]
└─$ smbclient  //192.168.113.240/kathy
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Jun  3 12:52:52 2016
  ..                                  D        0  Mon Jun  6 17:39:56 2016
  kathy_stuff                         D        0  Sun Jun  5 11:02:27 2016
  backup                              D        0  Sun Jun  5 11:04:14 2016

		19478204 blocks of size 1024. 16309640 blocks available
smb: \>

[/code]

里面东西不多，全dump下来：

[code]

smb: \> cd kathy_stuff\
smb: \kathy_stuff\> ls
  .                                   D        0  Sun Jun  5 11:02:27 2016
  ..                                  D        0  Fri Jun  3 12:52:52 2016
  todo-list.txt                       N       64  Sun Jun  5 11:02:27 2016

		19478204 blocks of size 1024. 16309636 blocks available
smb: \kathy_stuff\> get todo-list.txt 
getting file \kathy_stuff\todo-list.txt of size 64 as todo-list.txt (3.9 KiloBytes/sec) (average 3.9 KiloBytes/sec)
smb: \kathy_stuff\> cd ../
smb: \> ls
  .                                   D        0  Fri Jun  3 12:52:52 2016
  ..                                  D        0  Mon Jun  6 17:39:56 2016
  kathy_stuff                         D        0  Sun Jun  5 11:02:27 2016
  backup                              D        0  Sun Jun  5 11:04:14 2016

		19478204 blocks of size 1024. 16309632 blocks available
smb: \> cd backup
smb: \backup\> ls
  .                                   D        0  Sun Jun  5 11:04:14 2016
  ..                                  D        0  Fri Jun  3 12:52:52 2016
  vsftpd.conf                         N     5961  Sun Jun  5 11:03:45 2016
  wordpress-4.tar.gz                  N  6321767  Mon Apr 27 13:14:46 2015

		19478204 blocks of size 1024. 16309632 blocks available
smb: \backup\> mget *
Get file vsftpd.conf? y
getting file \backup\vsftpd.conf of size 5961 as vsftpd.conf (215.6 KiloBytes/sec) (average 136.8 KiloBytes/sec)
Get file wordpress-4.tar.gz? y
getting file \backup\wordpress-4.tar.gz of size 6321767 as wordpress-4.tar.gz (796.4 KiloBytes/sec) (average 792.7 KiloBytes/sec)
smb: \backup\>

[/code]

查看，没有发现什么很有价值的线索，把kathy加入用户名字典

[code]

┌──(kali㉿kali)-[~/PG/replayplay]
└─$ cat todo-list.txt
I'm making sure to backup anything important for Initech, Kathy

[/code]

3306端口：无未授权访问

两个web端口均没有扫出来什么很有用的信息

在12380端口处源码注释：

[code]

[/code]

增加用户名zoe,按注释改了一下前端，没什么信息

[code]

┌──(kali㉿kali)-[~/PG/replayplay]
└─$ curl -I http://192.168.113.240:12380
HTTP/1.1 400 Bad Request
Date: Wed, 15 Oct 2025 14:38:41 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Fri, 03 Jun 2016 16:55:33 GMT
ETag: "6a16a-53462974b46e8"
Accept-Ranges: bytes
Content-Length: 434538
Dave: Soemthing doesn't look right here
Connection: close
Content-Type: text/htm

[/code]

这里有一个自定义的dave,加入字典

666端口：这个nmap没有扫出来是什么服务，但是是开放的

使用nc/telnet尝试访问：

[code]

telnet 192.168.113.240 666

[/code] [code]

                                                                                                       
┌──(kali㉿kali)-[~/PG/replayplay]
└─$ telnet 192.168.113.240 666
Trying 192.168.113.240...
Connected to 192.168.113.240.
Escape character is '^]'.
Pd��Hp���,2
           message2.jpgUT	+�QWJ�QWux
                                          ��z
                                             T��P���A@� �UT�T�2>��RDK�Jj�"DL[E�
                                                                               0<Ĵ�ʮn���V�W�H ����
_�dr���9��u�Y�ܳoX�Y�2�e���2��y}�a����>`� �:�y�����^�sC��
                                                       ��ncܤI��+j�[����=,Κ����s�޽���is�M?����eY��������]sS�bQ���AoA��9ӂ���x�Oݙ4����1�N���3w�&&q��'i�fL��\���̀ޚ��:�ũ�r����{���:i���T�/�-W׷&�N�<�\.���Ф���^���g�.ּ�|W�����j�f~��x'�
来源：程序园用户自行投稿发布，如果侵权，请联系站长删除
免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！